What are the most common mistakes you see companies make when conducting a BIA? Also, who should conduct a BIA? Is it best conducted internally or should organizations consider hiring an outside auditor or consultant?
One common business impact assessment mistake is when companies confuse the business criticality of an application with its importance to the business. For example, email is often overrated in terms of criticality because people depend on it so much to get through their work day. Companies must focus on determining whether the outage has a significant impact, such as losses, or if it is simply a painful inconvenience to getting work done. Criticality of processes and applications may change over time, so it is a mistake to think the BIA is a one-time process. It must be maintained regularly.
Another common mistake made during the assessment is trying to mitigate all risks during the BIA, thinking it will reduce the impact. The impact must be determined regardless because it will not change. A critical application remains critical unless the business model changes and no longer depends on it; going into "solution mode" before the impact is clearly understood can result in misallocation of budget for the risk-mitigation strategy. Finally, another common mistake is the failure to engage the right people in the BIA process. The IT department may have a basic understanding of an application's criticality, but it can often be based on perception rather than true impact to the business. Senior executive support and participation is essential to a successful BIA.
As to who should conduct the assessment, this is a common struggle for many companies that often feel no one knows their business as well as they do, but at the same time do not know where to start with the BIA process. The BIA is best conducted by someone who has experience with the process, who relies on an industry-accepted methodology and understands the challenges, shortfalls and common mistakes. This person is usually a qualified consultant, especially for companies conducting a BIA for the first time.
A consultant should be unbiased and be able to ignore internal politics that may otherwise affect the criticality and priority rating of certain business processes and applications. A consultant is also able to challenge some of the claims regardin criticality and potential losses using past experience. However, a consultant cannot work in a vacuum and needs input from the various business units, at which point the BIA becomes a collaborative effort. Because the BIA must usually be maintained on a yearly basis, there is an opportunity for a company to assign one of their employees to shadow the consultant during the BIA process for training and knowledge transfer. This allows the company to assign the BIA maintenance task internally going forward.
Dig Deeper on Disaster recovery planning - management
Related Q&A from Pierre Dorion
With some limitations, Federal Continuity Directives 1 and 2 can be used to help conduct a business impact assessment. Continue Reading
Pierre Dorion highlights some of the business impact analysis tools available to help companies in this Expert Response. Continue Reading
In this Expert Response, Pierre Dorion highlights some of the issues involved in protecting an organization from a supply chain disruption. Continue Reading